Re: The specified Directory Service has denied access

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

You have to give Authenticated Users in your Domain/Forest read rights on
the particular partitions in ADAM you wish them be able to read.

dsHeuristics displaying as not set by default is normal, only flip the bits
you need to flip for a particular reason, otherwise leave it default, since
each bit controlling how different functions in the directory service
behave.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services


No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Resources

"Lady Frances" <LadyFrances@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8720C770-3B1B-4D68-88CA-98D60DE1EB62@xxxxxxxxxxxxxxxx
Thank you for your answer, Christoffer.

The thing is I do not wish to enable anonymous ldap binding (unless I have
misunderstood the word and that "anonymous" means that the user is not
authentified in any domain).

What I am trying to achieve is the ldap directory to be available to users
(who belong to the AD forest and) who have provided their username and
password in the address book account . They would be able to access the
ldap
directory although they are not logged onto a domain. Is this possible?


Another thing is that the dsHeuristics setting for the instance is not
set.
Is that normal? And, as I cannot modifiy the value of the seventh
character,
should I set the value to 0000002001001?


As you might have gathered, I am quite new in the field so any help would
be
greatly appreciated.

Frances

"chriss3 [MVP]" wrote:

Hello, to allow anonymous connection to the ADAM instance application
directory partition you will need to modify dsHeuristics setting for
the instance. See:

ADAM Help File
How To section
Manage an ADAM instance
Allow anonymous LDAP binding to an ADAM instance


You then need to modify the ACEs on the partition entries using
DSACLs or by adding a security principal to one of the ADAM builtin
roles for the partition e.g. Readers role.



--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services


No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Resources

"Lady Frances" <LadyFrances@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:576BDEE8-B646-4BDF-9897-FC3A4D2320DD@xxxxxxxxxxxxxxxx
I have installed ADAM on a front-end server which is in the DMZ.
There is no problem accessing the ldap directory from our network i.e.
when
one is logged onto the domain.

But when trying to access the directory from the internet (using wab),
I
get
the following error: "The specified Directory Service has denied
access.
Check the Properties for this Directory Service and verify that your
Authentication Type settings and parameters are correct.".

I noticed that the system hosting ADAM uses the client's Windows logon
information and not the Directory Service Account information. The
event
viewer shows this:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 17.05.2006
Time: 10:05:38
User: NT AUTHORITY\SYSTEM
Computer: [Server hosting the ADAM instance]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: [Windows XP logon username]
Domain: [Client workstation name]
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM

Is there any specific configuration I need to enable the ldap directory
to
be accessed using the credentials provided as the Directory's Service
Account, regardless of what information is used to log onto the Windows
session?

Thanks in advance,
Frances





.

Relevant Pages

  • Re: Binding to ADAM partition as a domain user
    ... Readers role in ADAM. ... successfuly login into my ADAM partition with ADSI Edit using this ... I have ADAM running on Windows Server ... ADAM will transparently redirect the authentication to Active Directory ...
    (microsoft.public.windows.server.active_directory)
  • Re: The specified Directory Service has denied access
    ... ""The specified Directory Service ... ADAM Help File ... There is no problem accessing the ldap directory from our network i.e. ... Authentication Type settings and parameters are correct.". ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... a third party doing authentication) then the proxy-redirect isnt an option. ... could benefit from bind redirect/User Proxy Object ... >> Our Adam will have a user store where we put custom user attributes. ... > Integrated authentication gives you a Windows security context ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - SSO and provisioning considerations
    ... single credential store. ... > that app will launch our app, so it can pass the username or SID on the ... ADAM doesn't simplify your architecture from what I can tell in your posts. ... LDAP bind is not an authentication process. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Use of Active Directory vs Database (e.g. SQL server)
    ... the main reason to use ADAM for authentication is that it ... If you go with SQL for the user store, you have to build all that. ... the app going to have its own SQL server database for OLTP ...
    (microsoft.public.windows.server.active_directory)